[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Hacking Victim Bit9 Blames SQL Injection Flaw
From:       InfoSec News <alerts () infosecnews ! org>
Date:       2013-02-26 7:52:29
Message-ID: alpine.DEB.2.02.1302260152200.1406 () infosecnews ! org
[Download RAW message or body]

http://www.cio.com/article/729401/Hacking_Victim_Bit9_Blames_SQL_Injection_Flaw

By Jeremy Kirk
IDG News Service
February 25, 2013

Bit9 said a common Web application vulnerability was responsible for allowing 
hackers to ironically use the security vendor's systems as a launch pad for 
attacks on other organizations.

Based in Waltham, Massachusetts, the company sells a security platform that is 
designed in part to stop hackers from installing their own malicious software. 
In an embarrassing admission, Bit9 said earlier this month that it neglected to 
install its own software on a part of its network, which lead to the 
compromise.

In a more detailed explanation on its blog on Monday, Bit9 said attackers 
gained access by exploiting a SQL injection flaw in one of its Internet-facing 
Web servers. A SQL injection flaw can allow a hacker to enter commands into a 
web-based form and get the backend database to respond.

The compromise happened around July 2012, wrote Bit9's CTO Harry Sverdlove. 
Once inside Bit9, the hackers accessed a virtual machine used to digitally sign 
code for Bit9, a security measure that verifies the company's code is 
legitimate.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org 
[prev in list] [next in list] [prev in thread] [next in thread]